Malware Analysis - Keymarble

Vishal Thakur
Article by Vishal Thakur

InfoSec researcher specialising in Incident Response and Malware Analysis.

Introduction

Keymarble is a trojan malware that has recently been seen in the wild.
US CERT released initial information about this malware late last week which can be accessed here - https://www.us-cert.gov/ncas/analysis-reports/AR18-221A

In this article, we analyse the malware and try to understand the execution flow. We also look at some useful network IOC that can be extracted from the malware. Some of these have been documented in the release that has been linked above. We'll look at some other IOC that have not yet been released publicly. This is a quick analysis that looks at the malware from an IR point of view.

Analysis

Let's start by looking at the modules that are loaded initially upon execution:
alt

For the purpose of network-based IOC, we will focus on the module ws2_32.dll.
We start by putting breakpoints at the relevant function calls and execute the malware.

The C2 IP addresses are hard-coded into the binary and are hit quickly while executing.

These can be extracted quite easily from the stack. Let's start by taking a look at the stack values one by one for all the three IPs:

alt

alt

alt

These IP's can also be extracted from the mem-dump of the process, as they are loaded on to the memory by the main module on execution:

alt

There are some other interesting bits that we can see by analysing the binary.

It makes a call to google.com - this looks like a connectivity test. Let's take a look at the registers:

alt

And here's the memory dump:

alt

There are a few calls to the Sleep function - this is to delay the execution. We can edit the values on the stack and registers to make the executable run faster.

The time varies from 3000 ms to 60000 ms.

alt

alt

alt

Here we can see that it's trying to get the local time of the machine -

alt

This is a part of the code that extracts the computer name:

alt

This information is collected to be sent back to the C2.

Another interesting thing we can see hard-coded into the binary is the geo-locations of major cities/countries from all over the world (stock list most probably):

alt

If you look up the co-ordinates, they give you the geo-location:

alt

At this time, the C2 locations are not actively serving content:

alt

Conclusion

Keymarble is a trojan that has capabilities that make it operate as a RAT. The C2 IP address is hard-coded into the binary. We were able to extract some more information from the binary that can be used for monitoring purposes. Any direct requests to www.google.com from applications other than browsers is a usable IOC for this malware - it could be noisy but depending on your setup, can be used for monitoring mode and based on the results, can be used further.

We can also see that there are a couple of domains (non-malicious) that are loaded into the memory (this was extracted from the memory dump of the process) -

pnrp.net
ipv6-literal.net

This was also requested by the process:

a.59.160.194.104.servpac.com - port:443

Hard-coded IPs:

104.194.160.59
100.43.153.60
212.143.21.43

MD5: 704d491c155aad996f16377a35732cb4

SHA256: e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09

SSDEEP: 3072:IDdXEYhXxS550wwiY0Pe6Q1vLo4lJnCtea:EXEEXxcQxZ